By searching for some of the content within the found Perl scripts (below)

So it turned out to be an issue with Plesk, which had been patched by the latest Micro Update, but I missed some minor steps such as the apachectrl2.lock.* files which were owned by the user who had started the second attacks (note that those users that had not created these files on the first attack had not re-attacked).